HP-UX IPSec A.01.07.02 Release Notes
HP-UX IPSec Release Notes
Pre-Installation Migration Instructions
Chapter 1 7
Pre-Installation Migration Instructions
Before installing HP-UX IPSec version A.01.07.02, verify that your installation meets the
following conditions:
• MD5 version compatibility: If you are using MD5 transforms, all HP-UX IPSec systems
must be version A.01.04 or higher. For more information, refer to “MD5 Version
Compatibility” on page 7.
• Migrating from HP-UX IPSec versions prior to A.01.03 (such as A.01.01 or A.01.02): You
must follow the procedure listed in “Migrating from Versions Prior to A.01.03” on page 8.
MD5 Version Compatibility
HP-UX IPSec versions A.01.04 and higher fix a defect in the HP-UX IPSec MD5 algorithm. If
you are using an earlier version of HP-UX IPSec (A.01.03 or earlier) to communicate with
IPSec version A.01.04 or later and using a transform with MD5, the authentication will
intermittently fail and HP-UX IPSec will drop the packet and report an error.
If you are currently using HP-UX IPSec with any of the following transforms, you must
simultaneously upgrade all your systems to HP-UX IPSec version A.01.04 or higher.
• AH-MD5 transforms
• ESP transforms that are authenticated using MD5:
— ESP-DES-HMAC-MD5
— ESP-3DES-HMAC-MD5
— ESP-AES128-HMAC-MD5
• Nested AH and ESP transforms that use MD5
If MD5 authentication fails between HP-UX IPSec version A.01.04 or higher and an earlier
version of HP-UX IPSec, you will see entries similar to the following in the HP-UX IPSec log
file:
Msg: 31 From: SECPOLICYD Lvl: ALERT Date: Friday Oct 19 16:12:30 2001
Event: Integrity Check Value failure - SPI: 1C97D8 IP addr: 15.13.136.52:15.1
3.136.171 proto: 51.
To view an HP-UX IPSec log file, use the command
ipsec_report -audit
audit_file_name
[-file
output_file_name
]